diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
new file mode 100644
index 0000000..8ee1a3a
--- /dev/null
+++ b/.github/workflows/renovate.yml
@@ -0,0 +1,15 @@
+name: Renovate
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 */6 * * *'
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@v40.2.2
+        with:
+          token: ${{ secrets.RENOVATE_TOKEN }}
diff --git a/.gitignore b/.gitignore
index fa730f7..9fa01de 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 /secret.*.yaml
 /data/
-*.DS_Store
\ No newline at end of file
+/.envrc
+*.DS_Store
diff --git a/renovate.json5 b/renovate.json5
index 3f64283..420c42c 100644
--- a/renovate.json5
+++ b/renovate.json5
@@ -1,50 +1,22 @@
-// .github/renovate.json5 (or renovate.json)
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "autodiscover": false,
+  "extends": [
+    "config:base"
+  ],
+  "helm-values": {
+    "managerFilePatterns": ["^charts/.*/values\\.yaml$"]
+  },
   "packageRules": [
     {
-      "matchDatasources": ["docker"],
-      "extractVersion": "^(?<version>.*)$",
-      "versioning": "semver",
-      "groupName": "All Docker Images",
-      "pinDigests": true,
+      "matchUpdateTypes": ["major"],
+      "groupName": null,
+      "pinDigests": true
     },
-  ],
-  "helm": {
-    "fileMatch": ["charts/**/values.yaml"],
-    // You generally don't need to list public registries here.
-    // Only add specific entries for *private* registries that require explicit authentication.
-    // Renovate is smart enough to infer common public ones.
-    "registryUrls": {
-      // "my.private.registry.com": "https://my.private.registry.com/v2/" // Example for a private registry
-      }
-  },
-  "regexManagers": [
     {
-      "fileMatch": ["(^|/)charts/.*values\\.yaml$"],
-      "matchStrings": [
-        // Primary image:
-        // This regex tries to capture the full image name, including the registry if specified.
-        // It's designed to be flexible.
-        "repository:\\s*(?<depName>.*?)\\n\\s*tag:\\s*(?<currentValue>.*?)\\n",
-
-        // Nested images (e.g., piper.image, whisper.image):
-        // This regex accounts for a preceding key and potential 'image:' sub-key.
-        "^(?!\\s*#)[^\\s]*?:(?:\\n\\s*image:)?\\n\\s*repository:\\s*(?<depName>.*?)\\n\\s*tag:\\s*(?<currentValue>.*?)\\n"
-      ],
-      "datasourceTemplate": "docker",
-      // Important: Add a "depNameTemplate" to ensure capture group 1 (depName) is used
-      // which should contain the full path including registry
-      "depNameTemplate": "{{depName}}"
+      "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
+      "groupName": "non-major dependencies",
+      "groupSlug": "non-major",
+      "pinDigests": true
     }
-  ],
-  // ... rest of your configuration
-  "ignorePaths": ["**/node_modules/**", "**/vendor/**"],
-  "timezone": "Europe/Oslo",
-  "schedule": ["at any time"],
-  "commitMessageTopic": "{{depName}} Docker image",
-  "prConcurrentLimit": 5,
-  "dependencyDashboard": true,
-  "dependencyDashboardAutoclose": true
+  ]
 }